Amnesty International warned in a new security briefing that human-rights advocates in countries across the Middle East and North Africa have been the victims of advanced fraudulent login attacks (“phishing”). The rights organization alleged these attacks originate from governments in the Persian Gulf, and believes as many as 1,000 activists have been targeted.

The human-rights group posted a lengthy blog entry describing the sophisticated approach these attacks have taken. It found that governments try to mislead a targeted person into giving up not just their password, but a security code (known as a second factor) used for extra validation for a site login. With both the password and this code, an attacker can typically access all data in an account, delete items or make changes, quietly re-route incoming or outgoing email, or hijack it entirely.

Both non-governmental organizations and government agencies in less-repressive nations have exposed elaborate campaigns of phishing and malware attacks in the past. One of the most significant took place in 2016, when researchers uncovered three severe, previously undiscovered exploits against Apple’s iOS, which powers the iPhone, aimed at United Arab Emirates’s Ahmed Mansoor, a prominent advocate for political freedom in that country.

In a phishing attack, a target receives an email, text, or other message that sends them a link to log into an account at a service like Gmail, Facebook, or a web email host, usually offering a reason—even suggesting that their account has been compromised and requires a password reset.

The link takes the victim to a fraudulent site that has a domain name and design intended to resemble as closely as possible the legitimate site. An unwary user enters a password, which the phisher uses to access the account.

General security experts and those who advise journalists and political activists strongly recommend turning on “two-factor authentication” wherever possible, in which a password is only the first part of a login. A user must also enter a code sent via an app, an operating system, as a text message, or an automated voice call, or approve the login from an app associated with the account.

That second factor requires access to a computer, mobile phone or tablet, or phone number. The code is typically time bound, working often for as little as 60 seconds or just a few minutes.

Amnesty International warned that in the wave of sophisticated phishing attacks it’s seen, after a user enters their password on the fake site, the attacker uses that password to complete the first login step on a site. The site automatically sends the second factor to the user through their phone or other method.

The phishing site shows a fraudulent dialog prompting for that second factor, which, if a user enters it, gives the attacker full access to their account. Amnesty International explained further that because many sites allow the creation of “app passwords” typically used with email software that can’t manage a two-factor login directly, an attacker could effectively create an invisible backdoor to checking a victim’s email without requiring the second factor for subsequent email harvesting.

The group recommended vigilance in responding to any unsolicited or unexpected links. Rather than click a link received, it’s far better to use a bookmark already set or enter the domain name in a browser.

Further, some two-factor systems, such as Apple’s, provide geographic information about the origin of a login attempts. Many users tap or click and ignore this detail.

Amnesty International continues to recommend using two-factor authentication as an effective improvement in account security, regardless of attempts to fool users into giving up these time-limited codes.